Error updating apt repo: Policy rejected packet type Caused by: Signature Packet v3 is not considered secure

[er0k]

What happened:

I recently updated apt to 2.9.19 on Debian sid and I'm unable to update the kubernetes repositories. When I run apt update I get this error:

Get:4 https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease [1,186 B]
Err:4 https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Hit:17 https://download.sublimetext.com apt/dev/ InRelease
Warning: GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Error: The repository 'https://pkgs.k8s.io/core:/stable:/v1.32/deb  InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.

What you expected to happen:

I can run apt update to update kubernetes package information

How to reproduce it (as minimally and precisely as possible):

1. configure kubernetes apt repo according to these instructions
2. use apt 2.9.19
3. run apt update

Anything else we need to know?:

apt-listchanges says:

apt (2.9.19) unstable; urgency=medium

This release switches to OpenSSL for hashing and TLS, replacing the
GnuTLS and gcrypt libraries.

I'm not sure if this is a bug in apt, but all my other repositories are working fine, only the kubernetes repo is throwing this error. apt update works fine in Debian stable (12/bookworm) using apt 2.6.1 with the kubernetes repo.

Environment:

$ uname -srvo
Linux 6.12.6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.6-1 (2024-12-21) GNU/Linux

$ apt --version
apt 2.9.19 (amd64)

$ head -n1 /etc/os-release 
PRETTY_NAME="Debian GNU/Linux trixie/sid"

$ openssl version
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)

[xmudrii]

I can confirm this issue, however, this issue is with our repositories provider (OpenBuildService) and we can't do much about this at the moment. We'll raise this issue with them, but given it's the holidays seasons, it might take a while for this to get sorted out.

For time being, I advise staying away from apt 2.9.19 if possible. apt 2.9.16 is working fine.

/triage accepted
/priority critical-urgent
/assign

[xmudrii]

Update: I've sent a message to the OpenBuildService folks via their IRC channel.

[mythi]

I've followed theapt issue a bit more as I ran into it also. apt moved to sqv based signature verification method and the sqv default policy rejects the OBS generated apt repos. Details openSUSE/open-build-service#4174

However, the "latest" version of apt should now give more time for repos to move to v3+:

cat /usr/share/apt/default-sequoia.config
[hash_algorithms]
sha1.second_preimage_resistance = 2026-01-01
[packets]
signature.v3 = 2026-01-01

The gpgv based verification method is still supported:

sudo apt update -o APT::Key::GPGVCommand=1

[xmudrii]

@mythi Thanks for reporting this! I can confirm that the latest apt version v2.9.21 is not affected by this issue, so our recommendation is to upgrade your apt if you're affected by this issue. Other than that, there's nothing else we can do on our side until this is not fixed on the OBS side.

Because of that, I'll go ahead and close this issue.
/close

[k8s-ci-robot]

@xmudrii: Closing this issue.

In response to this:

@mythi Thanks for reporting this! I can confirm that the latest apt version v2.9.21 is not affected by this issue, so our recommendation is to upgrade your apt if you're affected by this issue. Other than that, there's nothing else we can do on our side until this is not fixed on the OBS side.

Because of that, I'll go ahead and close this issue.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.